A method and device for preventing a roaming user terminal from re-authentication are provided. The method includes: when virtual local area network (VLAN) of a roaming user terminal changes, change information of the roaming user terminal is reported to a broadband Remote access server (bras) via an access controller (AC) and the bras reports modified information of the roaming user terminal to an Authentication, Authorization, Accounting server (AAA server).
|
12. An Authentication, Authorization, Accounting server (AAA server) for preventing a roaming user terminal from re-authentication, comprising:
a processor; and
a memory on which is stored machine readable instructions that are to cause the processor to:
receive change information of the roaming user terminal with a changed virtual local area network (VLAN) from a broadband Remote access server (bras), wherein the change information of the roaming user terminal with the changed VLAN comprises an identifier (id) of a logic port accessed by the roaming user terminal, a unique id of the roaming user terminal, a state of the roaming user terminal, and a time that the state changed,
modify table item information related to the roaming user terminal based on the received change information, and
return a confirmation message to the bras.
1. A method for preventing a roaming user terminal from re-authentication, comprising:
receiving, by a broadband Remote access server (bras), change information of a roaming user terminal reported by an access controller (AC), the change information indicating that a virtual local area network (VLAN) of the roaming user terminal has changed, wherein the change information of the roaming user terminal received by the bras comprises an identifier of a logic port accessed by the roaming user terminal, a unique identifier of the roaming user terminal, a state of the roaming user terminal, and a time that the state changed;
modifying, by the bras, information of the roaming user terminal corresponding to the change information reported by the AC, wherein the modified information of the roaming user terminal is an item in a table maintained at the bras;
reporting, by the bras, the modified information of the roaming user terminal to an Authentication, Authorization, Accounting server (AAA server); and
allowing, by the bras, the roaming user terminal to access a network with an internet protocol (IP) address of the changed VLAN.
8. A broadband Remote access server (bras) for preventing a roaming user terminal from re-authentication, comprising:
a processor;
a memory on which is stored machine readable instructions that are to cause the processor to:
receive change information of the roaming user terminal with a changed virtual local area network (VLAN), wherein the change information is reported by an access controller (AC), and wherein the change information of the roaming user terminal with the changed VLAN comprises an identifier (id) of a logic port accessed by the roaming user terminal, a unique id of the roaming user terminal, a state of the roaming user terminal, and a time that that the state changed,
modify table item information related to the roaming user terminal based on the received information, wherein the table item information is in a table maintained by the processor,
report the modified information of the roaming user terminal to an Authentication, Authorization, Accounting server (AAA server),
receive a confirmation message sent by the AAA server, and
allow the roaming user terminal to access a network with an internet protocol (IP) address of the changed VLAN.
13. A system for preventing a roaming user terminal from re-authentication, comprising:
an access controller (AC);
a broadband Remote access server (bras); and
an Authentication, Authorization, Accounting server (AAA server),
wherein, upon receiving an access request from the roaming user terminal, the AC is to:
detect whether a virtual local area network (VLAN) of the roaming user terminal has changed,
when detecting that the VLAN of the roaming user terminal has changed, store the changed VLAN of the roaming user terminal,
report the changed information of the roaming user terminal to the bras; and
when detecting that the VLAN of the roaming user terminal has not changed, allow the roaming user terminal to access a network with an internet protocol (IP) address of the unchanged VLAN;
wherein the bras is to:
receive the changed information of the roaming user terminal with the changed VLAN that is reported by the AC, wherein the change information of the roaming user terminal with the changed VLAN comprises an identifier (id) of a logic port accessed by the roaming user terminal, a unique id of the roaming user terminal, a state of the roaming user terminal, and a time that the state changed,
modify table item information related to the roaming user terminal, wherein the table item information is in a table maintained by the bras,
report the modified information of the roaming user terminal to the AAA server,
receive a confirmation that update is complete from the AAA server, and
allow the roaming user terminal to access the network with the IP address of the changed VLAN;
wherein the AAA server is to modify table item information related to the roaming user terminal according to the modified information of the roaming user terminal with the changed VLAN received from the bras, and return a confirmation message to the bras.
2. The method according to
receiving, by the bras, a confirmation from the AAA server after the AAA server has modified corresponding table item information of the roaming user terminal based on the modified information of the roaming user terminal reported by the bras.
3. The method according to
after receiving the confirmation from the AAA server, allowing, by the bras, the access of the roaming user terminal to the network with the IP address of the changed VLAN.
4. The method according to
5. The method according to
6. The method according to
7. The method according to
9. The bras according to
10. The bras according to
11. The bras according to
|
The present application is a national stage filing under 35 U.S.C. 371 of PCT application number PCT/CN2011/084426, having an international filing date of Dec. 22, 2011, which claims priority to Chinese Patent Application No. 201010621703.8, filed on Dec. 24, 2010, the disclosures of which are hereby incorporated by reference in their entireties.
Computing devices are becoming more mobile and more connected. When a wireless computing device migrates from a first access point to a second access point within a wireless network, re-authentication may be triggered. The re-authentication can disrupt the wireless service to the computing device and may disrupt the user's experience.
The accompanying drawings illustrate various examples of the principles described herein and are a part of the specification. The illustrated examples are merely examples and do not limit the scope of the claims.
Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements.
Computing devices can connect to each other and a variety of networks using a number of communication technologies. Wireless Local Area Network (WLAN) technologies are a communication technology that is widely used and includes the popular Wireless Fidelity (Wi-Fi) technology. Wireless networking allows two or more points to communicate that are not physically connected.
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present systems and methods. It will be apparent, however, to one skilled in the art that the present apparatus, systems and methods may be practiced without these specific details. Reference in the specification to “an example” or similar language means that a particular feature, structure, or characteristic described in connection with the example is included in at least that one example, but not necessarily in other examples.
Another component within the WLAN architecture (100) is a Broadband Remote Access Server (BRAS) (110). The BRAS (110) routes traffic between the access controllers (120,122) and a network (105). For example, the network may be a Metropolitan Area Network (MAN) that accesses the internet. The BRAS (110) aggregates remote user terminal (130) sessions from the access controllers (120,122), injects policy management and enforces quality of service policies. The BRAS (110) is also responsible for assigning network parameters such as Internet Protocol (IP) addresses to the clients. A remote user terminal is authenticated by sending an access request to the access controller (120) via an access point (125). This access request is then passed to the BRAS (110). The BRAS (110) sends an authentication request and corresponding user information to an Authentication, Authorization, Accounting server (AAA server) (115). The AAA server (115) determines whether the remote user terminal (130) is a valid user, validates user credentials, and determines which serving strategy should be applied for the user, and sends the results to the BRAS (110) device. The BRAS (110) device executes actions according to results returned by the AAA server (115). The remote user terminal (130) can then access the network (105).
Wireless networks are adapted to provide connectivity to a variety of remote user terminals (130). When a remote user terminal (130) migrates from a first access point (125) to a second access point (127), the user's IP address within the Virtual Local Area Network (VLAN) may change. This triggers re-authentication of the remote user terminal (130) on the network (105). As discussed above, this re-authentication may include sending a re-authentication request from the remote user terminal (130) through the new access point (127) and its associated access controller (122) to the BRAS (110). The BRAS (110) then sends the authentication request to the AAA server (115). If the AAA server (115) validates the request, the BRAS (110) provides access to the remote user terminal (130) through the new access point (127) via its associated access controller (122). This process can disrupt communication between the remote user terminal (130) and the network (105). This disruption in service can significantly affect a user's experience. For example, if the user is consuming streaming media, the media stream would be disrupted. If the user is downloading a file, the downloading may be terminated and the user may have to start over with the download.
In some implementations, re-authentication can be prevented by modifying the user's credentials and/or communication stream at the access controller (120, 122) to conceal the migration between access points (125) from BRAS (110). For example, the access controller (120, 122) determines when a remote user terminal (130) moves between access points (125). Then the access controller (120, 122) can encapsulate packets sent from the wireless network (105) and passed to the BRAS (110) so that the packets appear to have originated with the original access point (125). Thus, although the user is roaming, the BRAS (110) does not perceive the change in wireless access points and the IP address of the remote user terminal (130) remains the same.
If the remote user terminal (130) migrates from a first access point (125) controlled by a first access controller (120) to a second access point (127) controlled by a different access controller (122), the two access controllers (120, 122) can synchronize remote user terminal (130) information and continue to mask the migration between access points (125, 127). Data from the network (105) addressed to the remote user terminal (130) is transmitted transparently to the original access controller (120) and then forwarded to the new access controller (122) for distribution to the remote user terminal (130).
This method shields migration of the remote user terminal (130) from the BRAS (110) but can create a number of inefficiencies in the wireless network (105). For example, the BRAS (110) is unaware of the actual location of the remote user terminal (130) and is unable to accurately assess bandwidth controls and quality of services policies. This technique can also interfere with individualized control of different access points (125, 127).
In block 202, the access controller detects whether the wireless device has changed access points or moved between Virtual Local Area Networks (VLAN). A VLAN is a group of hosts with a common set of requirements that communicate as if they are attached to the same broadcast domain, regardless of their physical location. If no change is detected, the method proceeds to block 209 and provides the user with authentication and with direct access to the network as described above. If the access controller determines that the user has migrated to a different access point or VLAN, the access controller stores information identifying the change and the method proceeds to block 203.
For example, when a WLAN terminal sends a request to a first access point (125) for correlation, the first access point (125) may directly transmit the request transparently to the AC via a channel established between the first access point (125) and the AC. Subsequently, the AC may allow the WLAN terminal to access with correlation, record user information and AP information of the WLAN terminal. With migration of the WLAN terminal, when the WLAN terminal detecting that signal strength of a second access point (127) exceeds that of the first access point (125) and achieves a threshold, meanwhile packet loss rate between the WLAN terminal and the first access point (125) also achieves another threshold, the WLAN terminal may actively trigger roaming process, that is to say, may actively send a packet for re-correlation to the second access point (127). Similarly, the second access point (127) may not process the received packet for re-correlation, instead, send the packet to the AC via a channel established between the AC and the second access point (127). By querying previous user information, the AC may find that the WLAN terminal has already been correlated, learn the WLAN terminal currently accesses with a new access point, and confirm the WLAN terminal is a roaming user terminal. Thus, the AC may allow the WLAN terminal to re-correlate with the second access point (127). Subsequently, the WLAN terminal may send a packet to cancel the correlation with the first access point (125). The roaming is terminated.
In block 203, the access controller compares the current connection information of the roaming user terminal with the original pre-roaming connection information. This allows the access controller to determine if the migrating roaming user terminal is a legal user. Specifically speaking, there are two kinds of roaming, which are respectively roaming within an access controller and roaming between access controllers. Regarding the roaming within an access controller, a same access controller may directly obtain pre-roaming information. Regarding the roaming between access controllers, a roaming group may be set to include a pre-roaming access controller and an after-roaming access controller. Thus, the pre-roaming access controller and the after-roaming access controller may synchronize user information. When the roaming between access controllers occurs, the after-roaming access controller may learn pre-roaming information of a user by querying synchronized information. The access controller reports the current connection information of the wireless device to the BRAS.
Reported information of the roaming user terminal may include:
An identifier of a logic port accessed by the roaming user terminal: an access controller name/identifier+an AP name/identifier+an actual radio name/identifier+a logic port name/identifier;
a unique identifier of the roaming user terminal: Media Access Control (MAC) of the roaming user terminal. IP information of the roaming user terminal with unchanged VLAN, IP information of the roaming user terminal with changed VLAN;
state of the roaming user terminal: roaming;
time that the change of state occurs.
In block 204 the BRAS receives the information and modifies a connection table to include the information. This provides the BRAS with an accurate view of the location and connectivity of the wireless devices connected to the network.
In block 205, the BRAS reports the modified information of the roaming user terminal to the AAA server. This information could be reported in the form of a connection table. In one implementation, the connection table includes an identifier (ID) of the roaming user terminal. MAC of the roaming user terminal, IP of the roaming user terminal. VLAN of the roaming user terminal and state of the roaming user terminal.
For example, the connection table reported to the AAA server by the BRAS when a certain roaming user terminal is authenticated for the first time is shown in Table 1.
TABLE 1
VLAN of
State of
ID of
MAC of roaming
IP of roaming
roaming user
roaming user
device
user terminal
user terminal
terminal
terminal
10
001f-3cdd-25c5
60.11.162.36
162
Authenti-
cation
is passed.
After roaming, the roaming user terminal modifies reported information as shown in Table 2, according to information reported by the access controller. Therefore, the BRAS reports the modified information of the roaming user terminal to the AAA server.
TABLE 2
VLAN of
State of
ID of
MAC of roaming
IP of roaming
roaming user
roaming user
device
user terminal
user terminal
terminal
terminal
0
001f-3cdd-25c5
60.11.161.36
161
Authenti-
cation
is assed.
In block 206, the AAA server updates table item information related to access of the roaming user terminal.
Information in original table item related with the roaming user terminal that is stored in the AAA server is shown in Table 3.
TABLE 3
VLAN of
Name
roaming
IP of
of
Pass-
IP of roaming
user
access
device
word
Access time
user terminal
terminal
device
Zhang
123456
2008-01-11
60.11.162.36
162
60.11.1.36
San
18:52:18
After the user begins to roam, the original table item related information of the user stored in the AAA server is updated as shown in Table 4, according to the information reported by the BRAS.
TABLE 4
VLAN of
Name
roaming
IP of
of
Pass-
IP of roaming
user
access
device
word
Access time
user terminal
terminal
device
Zhang
123456
2008-01-11
60.11.161.36
161
60.11.1.36
San
18:52:18
In block 207, the AAA server sends a confirmation message the BRAS, reporting that the update is complete.
In block 208, the BRAS allows the roaming user terminal to access the network with IP address of changed VLAN.
In block 209, the roaming user terminal directly accesses the network.
According to the implementation shown in
The access controller detecting module (301) is designed to receive an access request from a roaming user terminal, and detect whether the VLAN of the roaming user terminal changes. The access controller detecting module (301) compares the pre-roaming VLAN of the roaming user terminal stored in the access controller with the after-roaming VLAN of the roaming user terminal. When the pre-roaming VLAN is the same as the after-roaming VLAN, the access controller detecting module (301) determines the VLAN of the roaming user terminal is unchanged. Otherwise, the access controller detecting module (301) determines the VLAN of the roaming user terminal has changed.
When a change in the VLAN of the roaming user terminal is detected, the access controller detecting module (301) reports the roaming user terminal information to the BRAS processing module (302). If no change is detected, the roaming user terminal directly accesses the network.
The roaming user terminal information reported by the access controller detecting module (301) may include a variety of data. For example, the terminal information may include an identifier of a logic port accessed by the roaming user terminal. This logic port identifier may include an AC name/identifier+an AP name/identifier+an actual radio name/identifier+a logic port name/identifier. The terminal information may also include a unique identifier of the roaming user terminal: MAC of the roaming user terminal. IP information of unchanged VLAN of the roaming user terminal, and IP information of changed VLAN of the roaming user terminal. The terminal information may also include a state of the roaming user terminal (roaming or not roaming) and time of the change in state.
The BRAS processing module (302) connects with the access controller detecting module (301) and the AAA server processing module (303) and receives the changed information about the roaming user terminal reported by the access controller detecting module (301). The BRAS processing module modifies the BRAS table according to the changed information and reports the changed information to the AAA server processing module (303). The BRAS (110) receives a confirmation message sent by the AAA server processing module (303) reporting that the update is complete. The roaming user terminal is then allowed to access the network with the IP address of the changed VLAN.
The modified roaming user terminal information reported by the BRAS processing module (302) to the AAA server processing module (303) includes: an ID of the roaming user terminal, MAC of the roaming user terminal, IP of the roaming user terminal. VLAN of the roaming user terminal and state of the roaming user terminal.
The AAA server processing module (303) connects with the BRAS processing module (302) and receives the changed information of the roaming user terminal reported by the BRAS processing module (302). The AAA server modifies entries in the AAA server table according to the changed information and sends a confirmation of the update to the BRAS processing module (302).
In some implementations, the access controller (120), the BRAS (110), and the AAA server (115) may be implemented separately on appropriate computing devices interconnected by the Ethernet. The access controller (120), BRAS (110), and the AAA server (115) may be implemented, separately or in combination on multi-core processors.
The roaming user terminal (401) sends an access request to the access controller (402). After receiving the access request sent by the roaming user terminal (401), the access controller (402) detects whether VLAN of the roaming user terminal (401) has changed. When the VLAN of the roaming user terminal (401) is changed, the access controller (402) reports the changed information of the roaming user terminal to the BRAS (403). The BRAS (403) receives the changed information, including the changed VLAN reported by the access controller (402). The BRAS modifies the corresponding table items and reports the updated roaming user terminal information to the AAA server (404). After receiving the modified information reported by the BRAS (403), the AAA server (404) updates a corresponding AAA table and sends a confirmation message to the BRAS (403) indicating that the update is complete. This allows the roaming user terminal (401) to access the network with the IP address of the changed VLAN. When detecting that the VLAN of the roaming user terminal (401) has not changed, the access controller (402) allows the roaming user terminal (401) to directly access the network with the IP address of the unchanged VLAN.
In conclusion, the systems and methods described above allow a roaming user terminal to migrate between access points and VLANs in a wireless network without re-authentication. This can be accomplished by detecting changes in the access points and/or the VLAN the roaming user terminal is connected to and updating tables in the access controller. BRAS, and AAA server. Appropriate information is then returned to the BRAS to allow a properly authenticated user terminal to migrate between access points without re-authentication. The roaming user terminal is allowed to access a network with an Internet Protocol (IP) address of changed VLAN. Thus, re-authentication of the roaming user terminal with changed VLAN may be avoided while accurately updating the BRAS with the actual access point of the roaming user terminal.
The preceding description has been presented only to illustrate and describe examples of the principles described. This description is not intended to be exhaustive or to limit these principles to any precise form disclosed. Many modifications and variations are possible in light of the above teaching.
Zheng, Tao, Zhang, Haitao, Yao, Min, Liu, Jianfeng, Shi, Yang, Chang, Xiangqing
Patent | Priority | Assignee | Title |
11539731, | Oct 26 2020 | NETSKOPE, INC | Dynamic hyper context-driven microsegmentation |
11700282, | Oct 26 2020 | NETSKOPE, INC | Dynamic hyper context-driven microsegmentation |
Patent | Priority | Assignee | Title |
20040168054, | |||
20040203752, | |||
20060117104, | |||
20110142048, | |||
CN101026866, | |||
CN101127707, | |||
CN102075904, | |||
CN1505314, | |||
CN1547343, | |||
CN1765082, | |||
CN1822574, | |||
EP1670205, | |||
WO2006118497, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Dec 22 2011 | Hangzhou H3C Technologies Co., Ltd. | (assignment on the face of the patent) | / | |||
Apr 28 2012 | CHANG, XIANGQING | HANGZHOU H3C TECHNOLOGIES CO , LTD | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 030423 | /0821 | |
Apr 28 2012 | SHI, YANG | HANGZHOU H3C TECHNOLOGIES CO , LTD | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 030423 | /0821 | |
Apr 28 2012 | LIU, JIANFENG | HANGZHOU H3C TECHNOLOGIES CO , LTD | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 030423 | /0821 | |
Apr 28 2012 | ZHANG, HAITAO | HANGZHOU H3C TECHNOLOGIES CO , LTD | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 030423 | /0821 | |
Apr 28 2012 | ZHENG, TAO | HANGZHOU H3C TECHNOLOGIES CO , LTD | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 030423 | /0821 | |
Apr 28 2012 | YAO, MIN | HANGZHOU H3C TECHNOLOGIES CO , LTD | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 030423 | /0821 | |
May 01 2016 | H3C TECHNOLOGIES CO , LTD | Hewlett Packard Enterprise Development LP | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 039767 | /0263 | |
May 01 2016 | HANGZHOU H3C TECHNOLOGIES CO , LTD | Hewlett Packard Enterprise Development LP | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 039767 | /0263 |
Date | Maintenance Fee Events |
Mar 25 2019 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Apr 18 2023 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Date | Maintenance Schedule |
Oct 27 2018 | 4 years fee payment window open |
Apr 27 2019 | 6 months grace period start (w surcharge) |
Oct 27 2019 | patent expiry (for year 4) |
Oct 27 2021 | 2 years to revive unintentionally abandoned end. (for year 4) |
Oct 27 2022 | 8 years fee payment window open |
Apr 27 2023 | 6 months grace period start (w surcharge) |
Oct 27 2023 | patent expiry (for year 8) |
Oct 27 2025 | 2 years to revive unintentionally abandoned end. (for year 8) |
Oct 27 2026 | 12 years fee payment window open |
Apr 27 2027 | 6 months grace period start (w surcharge) |
Oct 27 2027 | patent expiry (for year 12) |
Oct 27 2029 | 2 years to revive unintentionally abandoned end. (for year 12) |